Release 31.0.4

Release 31.0.4 introduces one breaking change (see below). It also brings a handful of containerization improvements, fixes several security vulnerabilities, upgrades many potentially vulnerable dependency libraries, fixes one bug in the BSM daemon, and fixes many non-security bugs.

Breaking changes

• The GpDetector and ScriptPolicy now require that their scripts be located beneath $OPENNMS_HOME and beneath $OPENNMS_HOME/etc/script-policies, respectively. If you are using either of these classes in your foreign-source definitions, please address this requirement before upgrading to this release.

Known issues

The following known issues impact Horizon 31.0.4; we expect all to be fixed in the next micro-version release:

• Regular users are unable to acknowledge or clear alarms from the geographical map’s integrated alarm browser. Until we identify a fix, it is possible to work around this problem by adding ROLE_REST to a user’s set of assigned roles. See NMS-15080 for details. Thanks to Ricardo Monteiro for bringing this problem to our attention.
• On systems where dual-write time series persisting is enabled, an intermittent startup problem may cause either a delay in data starting to be persisted, or a hard failure necessitating a restarting of the core. See NMS-15326 for details.
• The ALEC plugin currently cannot be successfully installed on a Sentinel node. At release time, it is unclear whether the problem lies in Sentinel or in ALEC. Some details are captured in NMS-15396.

Shout-outs and errata

• Thanks to researcher Baharuddin Zulkifli of NetbyteSEC for reporting several cross-site scripting vulnerabilities.
• Thanks to researcher Stefan Schiller of SonarSource for reporting a pair of authenticated command-injection vulnerabilities.
• Thanks to Ricardo Monteiro for bringing the geo-map alarms problem NMS-15080 to our attention.
• The release notes for 31.0.3 incorrectly stated that NMS-15124 was fixed in that release. In actual fact, the fix is in this release (31.0.4).

Story

• Add search term highlight functionality in documentation (Issue NMS-13540)
• Geo Map node groups should split into individual markers (Issue NMS-15150)
• Meridian container images are signed (Issue NMS-15341)

The codename for Horizon 31.0.4 is Otap.

Enhancement

• remove image related defaults from Docker container makefile (Issue NMS-13583)
• Add documentation for SELinux as a requirement to run OpenNMS (Issue NMS-14210)
• No way to know the alarm type (as type 1, 2 or 3) from web UI (Issue NMS-14578)
• Deploy Release Jars to Maven Central (Issue NMS-14727)
• Make the cloud connect plugin available in container images (Issue NMS-15012)
• Data collection and graph definitions for provisiond performance (Issue NMS-15018)
• DOC: Configuration Manager API for External Requisitions is not documented (Issue NMS-15019)
• Update docs with steps to activate Path Outage feature (Issue NMS-15218)
• Container: output some details when we copy files into the container in entrypoint.sh (Issue NMS-15226)
• Update VMware provisiond handler docs (Issue NMS-15270)
• Make the ALEC plugin available in container images (Issue NMS-15349)
• Make the Cortex TSS plugin available in container images (Issue NMS-15350)
• Smoke test improvements and small tweaks to help developers (Issue NMS-15387)

Bug

• Multiple stored and reflected XSS in webapp (Issue NMS-14854)
• Authenticated Command Injection in GpDetector and ScriptPolicy (Issue NMS-14878)
• Cacheable HTTPS Responses - Cache Control Directive Missing or Misconfigured (Issue NMS-14936)
• reloading BSM daemon causes the state of serviceProblem alarm to be reset (Issue NMS-15124)
• Notification number doesn’t show more than 2 digits (Issue NMS-15172)
• Jetty context startup failures are not clearly communicated to the user (Issue NMS-15179)
• CVE-2017-7504 for javassist 3.18.2-ga and 3.19.0-ga (Issue NMS-15191)
• CVE-2017-7504 for jboss-logging 3.1.0.cr2 (Issue NMS-15192)
• CVE-2014-2228 for org.restlet 1.1.10 (Issue NMS-15193)
• CVE-2019-13990 for quartz 2.2.3 (Issue NMS-15194)
• CVE-2022-45047 for sshd-sftp 2.5.1 (Issue NMS-15195)
• CVE-2021-21342 and 7 others for xstream 1.4.11.1 (Issue NMS-15196)
• CVE-2014-9970 for jasypt 1.9.0 (Issue NMS-15197)
• CVE-2021-33813 for jdom2 2.0.6 (Issue NMS-15198)
• CVE-2022-40149 and CVE-2022-40150 for jettison 1.3.8 (Issue NMS-15199)
• CVE-2016-5725 for jsch 0.1.51 (Issue NMS-15200)
• CVE-2022-3171 for protobuf-java 3.16.1 (Issue NMS-15201)
• CVE-2018-17187 for proton-j 0.14.0 (Issue NMS-15202)
• CVE-2017-15288 and CVE-2020-7907 for scala-library 2.11.0 and 2.12.12 (Issue NMS-15203)
• CVE-2020-13936 for velocity 1.7 (Issue NMS-15204)
• CVE-2020-11988 for xmlgraphics-commons 1.4 (Issue NMS-15205)
• rescanExisting does not trigger a nodeScan for newly added nodes when scan-interval is 0 in foreignSource definition (Issue NMS-15208)
• Update docs TOC to include missing notification commands file (Issue NMS-15266)
• CircleCI: integration-test job isn’t reporting test results (Issue NMS-15271)
• NPE in karaf.log when parallel TSDB writes enabled (Issue NMS-15282)
• Sanitize request parameters in outage/list.htm (Issue NMS-15294)
• Plaintext Password Present in the Web logs (Issue NMS-15305)
• Upgrade Apache Kafka Dependency Beyond 3.2.0 (Issue NMS-15317)
• RingBufferTimeseriesWriter.destroy can take a long time or hang due to BlockingServiceLookup.lookup in WorkProcessors (Issue NMS-15324)
• Dead transaction in flow thresholding on sentinel (Issue NMS-15340)
• Regular requisition editor empty state incorrectly names external requisitions (Issue NMS-15347)
• When we fail to startup, we don’t exit with a non-zero exit code so failures cannot be properly reflected in containers (Issue NMS-15386)
• ALEC plugin dependency update (Issue NMS-15391)

Task

• CVE in Jolokia 1.3.3 dependency (Issue NMS-15068)
• CVE-2021-37714 for jsoup (multiple versions) (Issue NMS-15069)
• vulnerable Junit dependency (Issue NMS-15074)
• RHEL9 installation documentation tab (Issue NMS-15079)
• Document deviceconfig tftp maximumReceiveSize (Issue NMS-15121)
• JAVA_KEYALIAS Variable needs to be updated (Issue NMS-15239)
• JAVA_KEYSTORE Variable needs to be updated (Issue NMS-15240)
• JAVA_STOREPASS Variable needs to be updated (Issue NMS-15241)
• Document the breaking changes done as part of Limit script file locations for GpDetector and ScriptPolicy (Issue NMS-15288)
• Release notes / wart: ALEC not installable on M2023.1.0 / H31.0.4 Sentinel (Issue NMS-15403)
• Release notes / wart: dual-write TS delay on startup (Issue NMS-15404)
• Release notes / wart: Geo map alarms and ROLE_REST (thank Ricardo Monteiro for the report) (Issue NMS-15406)

Epic

• Publish container images to a container registry other than DockerHub (Issue NMS-15091)

Unexpected Behavior

• Link on Netflow9 to main Netflow doc is broken (Issue NMS-15144)